Launch Offer2 free audits with all 229 checks. No credit card required.Start free audit
ga4audits

Data Deletion Requests: Handling DSAR in GA4 (2026)

Consent & Privacy10 min readIntermediate

How do I delete a user's data from GA4?

GA4 has a Data Deletion Request mechanism in Admin → Data Settings → Data Deletion Requests. You can request deletion by client_id, user_id, or specific event parameter values. Google processes the request within 63 days, removing the data from GA4 reports, the Data API, and BigQuery exports created from that point onward. Existing BigQuery exports are NOT automatically modified — you must run separate DELETE statements on those tables.

For full GDPR compliance you need to: (1) delete from GA4, (2) delete from BigQuery exports, (3) delete from any other system holding GA4-derived data (Looker Studio caches, custom data warehouses, audience syncs to ad platforms). The 63-day window means you cannot guarantee immediate deletion — only confirm it has been requested and tracked.

What GA4's deletion request actually covers

The Admin → Data Settings → Data Deletion Requests interface accepts requests by:

  • client_id — the GA4 anonymous identifier (the _ga cookie value, prefixed GA1.1. etc.)
  • user_id — your custom logged-in user identifier (only if you've implemented user_id sending)
  • Event parameter values — specific values in event_params (useful for deleting events with specific PII that shouldn't have been there)
  • Time-bound deletion — events between specific dates

What gets deleted on processing:

  • The matching events from GA4's standard reports
  • The matching events from the Data API
  • The matching events from any future BigQuery exports
  • The user's audience memberships derived from those events

What is NOT automatically deleted:

  • Existing BigQuery export tables (need separate DELETE)
  • Cached data in Looker Studio (refresh required)
  • Data already synced to Google Ads, Meta, or other ad platforms (handled by those platforms' own deletion mechanisms)
  • Reports based on the data that have already been generated and sent (you can't recall a PDF)
  • Aggregate-level metrics that include the user's contribution (these are too granular to selectively reduce)

The 63-day processing window

When you submit a deletion request, GA4 schedules it and shows a target completion date — typically 63 days out.

During the processing window:

  • The user's events still appear in GA4 reports
  • The data is still in BigQuery exports
  • You cannot expedite the timeline

After processing:

  • Standard reports no longer include the deleted events
  • Data API queries return reduced data for affected users
  • New BigQuery exports created after processing exclude the deleted events
  • The deletion request shows "Completed" in the admin

This 63-day window matters for GDPR responses. The legal expectation is "without undue delay and within one month" of request receipt. GA4's 63-day window exceeds that. To satisfy GDPR:

  1. Acknowledge the user's request immediately upon receipt
  2. Submit the GA4 deletion request the same day
  3. Document the GA4 deletion-request reference number
  4. Communicate to the user that deletion has been requested and the timeline
  5. Run separate BigQuery DELETE statements yourself (not subject to the 63-day window — under your control)

GDPR auditors generally accept this if documented. The point is documented action and reasonable progress, not impossible-instant deletion.

The BigQuery export complication

This is the single biggest gotcha with GA4 deletion requests. Existing BigQuery export tables are not automatically modified.

If a user submitted a deletion request and you have BigQuery export running, you need to:

  1. Submit the GA4 deletion request (covers GA4 reports going forward)
  2. Run a DELETE statement on your BigQuery tables yourself

Sample DELETE pattern:

For user_id-based deletion (logged-in users):

Need to validate whether consent timing is distorting your GA4 data?

Audit consent setup

Run these as scheduled queries or as part of your DSAR fulfilment workflow. Document each DELETE for compliance audit trails.

The "GA4 shouldn't have PII anyway" clarification

A common confusion: "we got a DSAR for John Smith — how do we find his GA4 data?"

If you've implemented GA4 correctly, you don't have John Smith's PII in GA4 at all. GA4 has:

  • An anonymous client_id (the _ga cookie value)
  • Possibly a user_id (your internal user identifier, not PII)
  • Event data (page views, clicks, purchases) tied to those identifiers

To delete a specific user's GA4 data, you need to map "John Smith" → their client_id or user_id. This mapping lives in your CRM or backend, not in GA4. GA4 doesn't know who anyone is.

The workflow:

  1. Receive DSAR for a named individual
  2. Look up their user_id and recent client_ids from your CRM/backend
  3. Submit GA4 deletion request for those identifiers
  4. Run BigQuery DELETE for those identifiers
  5. Document in your DSAR log with reference numbers

If your GA4 events contain actual PII (email addresses in event params, full names in custom dimensions), that's a TOS violation and a deeper compliance problem. GA4 Terms of Service prohibit PII. Fix that first, then handle DSARs for the corrected forward state.

What about audience exclusion as an alternative?

A pragmatic alternative for low-volume DSARs: build a GA4 audience excluding the user, apply it to all reports.

Pros: faster than deletion, doesn't have the 63-day window. Cons: doesn't actually delete data — the user's events still exist in GA4 storage, BigQuery, and any caches. Audience exclusion alone does not satisfy GDPR deletion requirements.

Use audience exclusion as a stop-gap for high-volume scenarios where actual deletion is impractical, but always combine with proper deletion requests for full compliance.

The four-step DSAR workflow

For each user deletion request:

Step 1 — Receive and acknowledge

User submits DSAR (via privacy email, contact form, or written letter). Acknowledge within 72 hours per GDPR best practice. Begin internal tracking.

Step 2 — Identify GA4 identifiers

Map the user's identity to their GA4 client_id(s) and user_id (if used). This requires your CRM/backend integration with GA4 — typically the client_id is captured at user signup and stored on the user record.

If you don't have this mapping, you cannot fulfil the DSAR completely for GA4 data — document this limitation in your privacy policy.

Step 3 — Submit GA4 + BigQuery deletions

Submit the GA4 Admin deletion request. Run the corresponding BigQuery DELETE statements. Document both with timestamps and reference numbers.

Step 4 — Communicate completion

Inform the user that deletion has been requested, with timeline (63 days for GA4 standard, immediate for BigQuery). Provide reference numbers if requested. Update your DSAR log with completion confirmation when GA4 processes the request.

This four-step workflow, documented and consistently executed, satisfies most GDPR auditors. The combination of "we requested deletion immediately, BigQuery is already deleted, GA4 is on its 63-day schedule" is defensible.

FAQ: Data Deletion Requests: Handling DSAR in GA4

Can data deletion requests: handling dsar in ga4 be caused by consent timing instead of a tag bug?

Yes. Many consent-related issues come from when the signal arrives, not whether the setting exists in the interface. Browser-level validation matters more than screenshots of the CMP setup.

Should I test this only in GA4 reports?

No. Start in the browser first, then confirm the reporting impact in GA4. Otherwise you may confuse modeled-data shifts with broken implementation.

What is the fastest way to prevent this from happening again?

Create a repeatable QA step for banner changes, region logic, and container releases so consent behavior is validated before it reaches production users.

Validate Data Deletion Requests: Handling DSAR in GA4 before it becomes a compliance and reporting problem

Run a free audit to check consent timing, browser behavior, and downstream GA4 impact in one workflow.

Audit Consent Setup

These findings come from auditing thousands of GA4 properties. See how your property compares

GA4 Audits Team

GA4 Audits Team

Analytics Engineering

Specialising in GA4 architecture, consent mode implementation, and multi-layer audit frameworks.

Share

Keep reading

More guides in Consent & Privacy

Internal links should help the reader move deeper into the topic, not just pad the page. These are the next three most relevant reads from the library.

Consent & PrivacyHow to Test Consent Mode V2 in 5 Minutes: A DevTools Walkthrough (2026)Open Chrome DevTools → Network tab → filter for collect → reject all on the cookie banner → confirm GA4 hits still fire with gcs=G100 (denied) and ad_user_data=denied. Then accept all → confirm gcs=G111 (granted). If hits don't fire at all in either state, Consent Mode is misconfigured. If gcs is missing entirely…9 min readConsent & PrivacyGCS Parameter Decoded: What G100, G110, G111 Mean in GA4 HitsThe gcs parameter in GA4 network requests encodes the user's consent state for two of the four Consent Mode signals. Format: G1xy where G1 is constant, x is ad_storage (0=denied, 1=granted), y is analytics_storage (0=denied, 1=granted)…7 min readConsent & Privacy'consent_default' vs 'consent_update': Which Comes First in GTM (2026)The consent_default command must fire before any tag — typically as the first script in <head> or as a Consent Initialization tag in GTM with priority 100. The consent_update command fires after the user interacts with the cookie banner…10 min read